Page 2
A critical heap buffer overflow vulnerability was discovered and patched in the centitoml TOML parser, where missing integer overflow validation on a `MALLOC(len+1)` call could allow an attacker to trigger memory corruption via a crafted TOML configuration file. The vulnerability (CWE-190) is reachable through community-distributed mod or map files that the game loads from its `config/` directory, making it a realistic attack vector for remote code execution. A targeted one-line guard now preven
A critical buffer overflow vulnerability was discovered in `phlib/nativefile.c`, where multiple `memcpy` calls copied filename and extended-attribute data into fixed-size structures without verifying that source lengths didn't exceed destination buffer boundaries. An attacker supplying an oversized filename or EA name could corrupt adjacent heap memory, potentially enabling arbitrary code execution. The fix replaces unchecked arithmetic with Windows' safe integer helpers (`RtlULongAdd`, `RtlULon
A critical path traversal vulnerability in a ZMODEM file receiver allowed a malicious sender to supply crafted filenames containing directory traversal sequences (like `../../.ssh/authorized_keys`), causing the receiver to write file contents to arbitrary locations on the filesystem. The fix strips path separators and validates filenames before use, ensuring received files can only be written to the intended download directory. This class of vulnerability is a stark reminder that any input origi
A critical heap buffer overflow vulnerability was discovered in `libretro-db/rmsgpack_dom.c`, where a missing integer width cast allowed an attacker-controlled string length value of `UINT32_MAX` to wrap around to zero, completely collapsing the bounds check before a `memcpy` call. The fix is a single targeted cast to `uint64_t` that closes the overflow window and ensures the bounds check behaves correctly regardless of the input value. This class of vulnerability is a textbook example of how in
A critical heap buffer overflow vulnerability was discovered in `src/chart/main.c`, where `memcpy` and `memmove` calls failed to validate buffer sizes before copying color calibration data — allowing a crafted input file to overwrite heap metadata and adjacent memory. The fix adds allocation failure checks after `realloc` calls and replaces `malloc` with `calloc` to zero-initialize buffers, eliminating the risk of uninitialized memory being exploited. This type of vulnerability is a reminder tha
A critical buffer overflow vulnerability was discovered in the freestanding runtime's custom string library, where `strcpy()` and `memcpy()` implementations lacked any bounds checking whatsoever. In a bare-metal or kernel-like environment with no OS-level memory protection, this flaw could allow an attacker to overwrite adjacent memory regions — including function pointers and security-critical state — with arbitrary data. The fix introduces a safe `strlcpy()` implementation that enforces destin
A high-severity out-of-bounds access vulnerability was discovered and patched in the `py32ioexp` Linux GPIO expander driver. The `py32io_gpio_direction_input()` function failed to validate a user-supplied pin offset against the chip's declared GPIO count, opening the door to memory corruption via the GPIO character device interface. A two-line bounds check now closes the vulnerability cleanly and efficiently.
A critical buffer overflow vulnerability was discovered and patched in the NetCDF Operators (NCO) library, specifically in the filter string construction loop within `nco_flt.c`. The flaw stemmed from repeated use of `strcat()` and `sprintf()` without any bounds checking, allowing an attacker to supply crafted filter specifications that overflow a fixed-size buffer and corrupt adjacent memory. The fix replaces these unsafe calls with bounds-aware `snprintf()` invocations that track the current w
A critical heap buffer overflow vulnerability was discovered in a DHCP server implementation where the hardware address length field (`hlen`) from an attacker-controlled packet was trusted without validation, allowing up to 239 bytes of heap corruption. The fix adds a simple bounds check before the memory copy, ensuring the copy length never exceeds the destination buffer size. This type of vulnerability can lead to remote code execution, denial of service, or full system compromise in network-f
A critical use-after-free vulnerability was discovered and patched in `zmap.h`, where freed memory pointers were not reset to a safe state after deallocation in the `map` destructor and move-assignment operator. This oversight allowed subsequent code paths — including destructors, iterators, and concurrent threads — to access memory that had already been returned to the allocator, creating a condition exploitable for arbitrary code execution. The fix, a two-line change adding `inner = {};` after
A critical stack buffer overflow vulnerability was discovered in the ARM Hardware Abstraction Layer (HAL) initialization code, where an unchecked `vsprintf()` call could allow an attacker to overwrite the stack frame and achieve arbitrary code execution at the kernel level (ring-0). The fix replaces `vsprintf()` with `vsnprintf()` — a single-character change with enormous security implications. Left unpatched, this vulnerability could have allowed malicious hardware enumeration data or boot-time
A critical vulnerability in `runtime/zenith_runtime.c` allowed the `runtime_malloc()` function to accept negative size values, which when cast to an unsigned type could either trigger a massive failed allocation or produce a dangerously undersized buffer ripe for overflow. The fix adds a simple but essential guard clause that rejects non-positive sizes before they ever reach `malloc()`. Left unpatched, this class of bug can lead to heap metadata corruption, process crashes, or even arbitrary cod